Comparing running processes in Windows Server 2008 in Full and Core installs

Windows Server 2008 Server Core installation is a minimal install of the upcoming Windows Server OS that can run specific roles (like DNS, Active Directory or File Server) with a much smaller footprint and attack surface. In a previous blog post I looked into overall image sizes for both and also discussed some of the details about the differences between these Full and the Core installs. I later discussed which files are on disk for each one. Now I am looking at the processes running in the the two types of install.

This time I opted to install a couple of components on the servers before comparing them. I loaded the Virtual PC 2007 virtual machine extensions and the DNS Server role (which is available for both). I then used the systeminfo.exe and tasklist.exe (which also exists in both install) to compare the differences in loaded process, physical memory and pagefile memory used. A third test included running the LoadOrder tool from SysInternals to check for drivers and services loaded.

My goal here is not to have very precise lists, but to get a feeling for how the Full and Core installs compare. Also note that Windows Server 2008 is in pre-release format today (there is a public Beta 3 and an MSDN-and-TechNet-subscribers-only release called June CTP or IDS3). Keep in mind that this will most likely change before final release. The information here is based on an Enterprise edition, June CTP bits.

Here are the results:

SystemInfo Output

Host Name:

WS2008CORE

WS2008FULL

OS Name:

Microsoftr Windows Serverr 2008 Enterprise

Microsoftr Windows Serverr 2008 Enterprise

OS Version:

6.0.6001 Service Pack 1, v.222 Build 6001

6.0.6001 Service Pack 1, v.222 Build 6001

OS Manufacturer:

Microsoft Corporation

Microsoft Corporation

OS Configuration:

Standalone Server

Standalone Server

OS Build Type:

Multiprocessor Free

Multiprocessor Free

Original Install Date:

8/1/2007, 10:34:02 AM

8/1/2007, 10:59:24 AM

System Boot Time:

8/1/2007, 4:35:49 PM

8/1/2007, 4:35:41 PM

System Manufacturer:

Microsoft Corporation

Microsoft Corporation

System Model:

Virtual Machine

Virtual Machine

System Type:

X86-based PC

X86-based PC

Processor(s):

[01]: x64 Family 6 Model 15 Stepping 6 GenuineIntel ~5 Mhz

[01]: x64 Family 6 Model 15 Stepping 6 GenuineIntel ~5 Mhz

BIOS Version:

American Megatrends Inc. 080002 , 2/22/2006

American Megatrends Inc. 080002 , 2/22/2006

Windows Directory:

C:Windows

C:Windows

System Directory:

C:Windowssystem32

C:Windowssystem32

Boot Device:

DeviceHarddiskVolume1

DeviceHarddiskVolume1

System Locale:

en-us;English (United States)

en-us;English (United States)

Input Locale:

en-us;English (United States)

en-us;English (United States)

Time Zone:

(GMT-08:00) Pacific Time (US & Canada)

(GMT-08:00) Pacific Time (US & Canada)

Total Physical Memory:

1,023 MB

1,023 MB

Available Physical Memory:

821 MB

766 MB

Page File: Max Size:

2,298 MB

2,297 MB

Page File: Available:

2,137 MB

2,093 MB

Page File: In Use:

161 MB

204 MB

Page File Location(s):

C:pagefile.sys

C:pagefile.sys

Domain:

WORKGROUP

WORKGROUP

Logon Server:

\WS2008CORE

\WS2008FULL

Hotfix(s):

N/A

N/A

Network Card(s):

N/A *

[01]: Intel 21140-Based PCI Fast Ethernet Adapter (Emulated)

* The Core install did have the same network card and I confirmed it was enable by acessing the system remotely. For some reason systeminfo.exe could not gather that information in the Core install.

I combined the output of a simple "tasklist.exe" and "tasklist.exe /svc" to produce the list. Services shown in () appeared only in the Full install. Since I ran tasklist.exe on a command line, cmd.exe shows in both sides.

LoadOrder Output

Last by not least, I captured the output of the LoadOrder tool from TechNet (part of the tools coming from SysInternals). This tool shows the order on which all drivers and services loaded. I used this output to find out which drivers and services do not load on a Server Core install. Here it is (items marked with an X on the first column do not load on a Server Core install):

Group name

Tag

Service/Device

Display Name

profsvc_group

n/a*

ProfSvc

@%systemroot%system32profsvc.dll,-300

ProfSvc_Group

n/a*

SENS

@%SystemRoot%system32Sens.dll,-200

ProfSvc_Group

n/a*

slsvc

@%SystemRoot%system32SLsvc.exe,-101

X

UIGroup

n/a*

UxSms

@%SystemRoot%system32dwm.exe,-2000

PlugPlay

n/a*

PlugPlay

@%SystemRoot%system32umpnpmgr.dll,-100

NDIS

14

rspndr

Link-Layer Topology Discovery Responder

NDIS

15

lltdio

Link-Layer Topology Discovery Mapper I/O Driver

TDI

n/a*

Dhcp

@%SystemRoot%system32dhcpcsvc.dll,-100

TDI

n/a*

Dnscache

@%SystemRoot%System32dnsapi.dll,-101

TDI

n/a*

lmhosts

@%SystemRoot%system32lmhsvc.dll,-101

X

ShellSvcGroup

n/a*

ShellHWDetection

@%SystemRoot%System32shsvcs.dll,-12288

SchedulerGroup

n/a*

Schedule

@%SystemRoot%system32schedsvc.dll,-100

NetworkProvider

n/a*

BFE

@%SystemRoot%system32bfe.dll,-1001

NetworkProvider

n/a*

LanmanWorkstation

@%systemroot%system32wkssvc.dll,-100

NetworkProvider

n/a*

MpsSvc

@%SystemRoot%system32FirewallAPI.dll,-23090

MS_WindowsLocalValidation

n/a*

SamSs

@%SystemRoot%system32samsrv.dll,-1

X

SpoolerGroup

n/a*

Spooler

@%systemroot%system32spoolsv.exe,-1

Extended Base

13

Parvdm

n/a*

n/a*

1-vmsrvc

Virtual Machine Additions Services Application

n/a*

n/a*

AeLookupSvc

@%SystemRoot%system32aelupsvc.dll,-1

n/a*

n/a*

BITS

@%SystemRoot%system32qmgr.dll,-1000

n/a*

n/a*

CryptSvc

@%SystemRoot%system32cryptsvc.dll,-1001

n/a*

n/a*

DNS

@%systemroot%system32dns.exe,-49157

n/a*

n/a*

DPS

@%systemroot%system32dps.dll,-500

n/a*

n/a*

EventSystem

@comres.dll,-2450

n/a*

n/a*

IKEEXT

@%SystemRoot%system32ikeext.dll,-501

n/a*

n/a*

iphlpsvc

@%SystemRoot%system32iphlpsvc.dll,-200

n/a*

n/a*

KtmRm

@comres.dll,-2946

n/a*

n/a*

LanmanServer

@%systemroot%system32srvsvc.dll,-100

n/a*

n/a*

MRxVPC

Virtual Machine Additions Folder Sharing Driver

n/a*

n/a*

MSDTC

@comres.dll,-2797

n/a*

n/a*

netprofm

@%SystemRoot%system32netprof.dll,-246

n/a*

n/a*

NlaSvc

@%SystemRoot%System32nlasvc.dll,-1

n/a*

n/a*

nsi

@%SystemRoot%system32nsisvc.dll,-200

X

n/a*

n/a*

PEAUTH

PEAUTH

n/a*

n/a*

PolicyAgent

@%SystemRoot%System32polstore.dll,-5010

n/a*

n/a*

RemoteRegistry

@regsvc.dll,-1

X

n/a*

n/a*

secdrv

Security Driver

n/a*

n/a*

seclogon

@%SystemRoot%system32seclogon.dll,-7001

n/a*

n/a*

tcpipreg

TCP/IP Registry Compatibility

n/a*

n/a*

TermService

@%SystemRoot%System32termsrv.dll,-268

X

n/a*

n/a*

TrkWks

@%SystemRoot%system32trkwks.dll,-1

n/a*

n/a*

VPCMap

Virtual Machine Additions Shared Folder Service

n/a*

n/a*

W32Time

@%SystemRoot%system32w32time.dll,-200

X

n/a*

n/a*

WerSvc

@%SystemRoot%System32wersvc.dll,-100

n/a*

n/a*

Winmgmt

@%Systemroot%system32wbemwmisvc.dll,-205

n/a*

n/a*

WinRM

@%Systemroot%system32wsmsvc.dll,-101

n/a*

n/a*

wuauserv

@%systemroot%system32wuaueng.dll,-105

So the items not loaded in Server Core does are components related to User Interface, Shell, Spooler, peauth, secdrv, Distributed Link Tracking Client Service (TrkWks) and Windows Error Reporting Service (WerSvc).